b'                 Sensitive Data Sent Via Email Is Adequately\n                Protected, but Controls Could Be Streamlined\n\n                                  February 2005\n\n                       Reference Number: 2005-20-038\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                    DEPARTMENT OF THE TREASURY\n                                         WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                         February 22, 2005\n\n\n      MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n\n\n      FROM:                  Pamela J. Gardiner\n                             Deputy Inspector General for Audit\n\n      SUBJECT:               Final Audit Report - Sensitive Data Sent Via Email Is Adequately\n                             Protected, but Controls Could Be Streamlined\n                             (Audit # 200420022)\n\n      This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS)\n      controls to protect sensitive data sent via email. The IRS routinely works with sensitive\n      but unclassified data such as taxpayers\xe2\x80\x99 personal financial data and employees\xe2\x80\x99 data.\n      Most managers and employees have access to email and can send sensitive data to\n      other employees to expedite their work. Including sensitive data in email poses certain\n      risks. Specifically, email, if not properly encrypted, can be intercepted by unauthorized\n      persons, and employees can inadvertently disclose sensitive data by sending email to\n      the wrong recipient. The overall objective of this review was to determine whether the\n      IRS is adequately protecting sensitive data sent via email.\n      In summary, the IRS has controls in place to adequately protect sensitive data sent via\n      email. The IRS uses features available on its email system to automatically encrypt\n      emails. Encryption is a method of \xe2\x80\x9cscrambling\xe2\x80\x9d text or data so that it is unreadable.\n      Software on each employee\xe2\x80\x99s computer encrypts data prior to moving the data across\n      network lines. Emails transmitted from one IRS building to another IRS building are\n      encrypted at an even higher level than emails transmitted within an IRS building.\n      Emails forwarded outside the IRS network (e.g., to taxpayers or employees\xe2\x80\x99 home\n      computers) are not encrypted. However, we found no instances in our tests of sensitive\n      emails being forwarded outside the IRS network.\n      The IRS established its Secure Messaging program in June 2002 to ensure that emails\n      containing sensitive data sent within IRS buildings were encrypted at the same level as\n      emails sent between IRS buildings. Secure Messaging also keeps messages encrypted\n      while stored on servers, creates employee awareness to protect sensitive data, and\n\x0c                                           2\n\ngives the IRS experience that may be beneficial if similar technology is ever used for\nbroader purposes. However, Secure Messaging has several disadvantages. Primarily,\nit is difficult for management to enforce its use.\nWhen the IRS implemented Secure Messaging in June 2002, the goal was to have\n100 percent of all employees enrolled in the program by September 30, 2002.\nHowever, as of September 2004, 2 years into the program, IRS records indicated that\nonly 76 percent of the nearly 82,000 email mailboxes had been enrolled. Since both the\nsender and receiver of an email must be enrolled in Secure Messaging for it to work, its\neffectiveness has been limited. Additionally, IRS employees, even those enrolled in the\nSecure Messaging program, are not using it consistently. In our sample, 43 percent of\nthe mailboxes contained sensitive data that had not been encrypted with Secure\nMessaging as required.\nSecure Messaging also requires additional expenditures. It increases the size of\nemail messages which places more demands on the IRS telecommunications system\nand computer storage capabilities. In addition to the $350,000 spent to start up the\noriginal Secure Messaging program, the IRS is incurring ongoing costs to administer it.\nThe program requires dedicated servers and 5 part-time employees at a cost of\n$156,000 per year to manage the hardware and software.\nAt your request, we evaluated Homeland Security Presidential Directive (HSPD) 12,\ndated August 27, 2004, entitled \xe2\x80\x9cPolicy for Common Identification Standard for Federal\nEmployees and Contractors,\xe2\x80\x9d and determined that this Directive has no impact on\nSecure Messaging.\nWe recommended the Chief Information Officer (CIO) coordinate with business unit\nowners to reevaluate and weigh the costs and benefits of continuing the Secure\nMessaging program. If the CIO and the business unit owners determine that the\nprogram should continue, they should ensure all IRS employees who send sensitive\ndata via email are enrolled in the Secure Messaging program and comply with its\nprocedures. In addition to continuing awareness training efforts, first-line managers\nshould periodically review employees\xe2\x80\x99 use of Secure Messaging to ensure compliance.\nManagement\xe2\x80\x99s Response: The CIO agreed with two of the three recommendations in\nthis report. The CIO will promote employee awareness of the Secure Messaging\nprogram through the Modernization and Information Technology Services (MITS)\norganization\xe2\x80\x99s website and other communication channels as needed. The Mission\nAssurance and Security Services (MA&SS) organization will incorporate Secure\nMessaging within the annual online computer security awareness training required for\nall employees. The MA&SS and MITS organizations plan to issue a joint memo\nmandating the enrollment of all employees in the Secure Messaging program, and the\nMITS organization will work with the business units to develop a cost-effective way of\nassessing compliance. The CIO did not agree to coordinate with business owners to\nreevaluate and weigh the costs and benefits of the Secure Messaging program as we\nrecommended. Citing HSPD 12, dated August 27, 2004, entitled \xe2\x80\x9cPolicy for Common\nIdentification Standard for Federal Employees and Contractors,\xe2\x80\x9d the CIO will continue\n\x0c                                          3\n\nusing Secure Messaging as a key component in the IRS\xe2\x80\x99 transition to implement Public\nKey Infrastructure as a logical access control. The CIO also questioned our sampling\nmethodology. Management\xe2\x80\x99s complete response to the draft report is included as\nAppendix IV.\nOffice of Audit Comment: We believe the conclusions and recommendations in this\nreport are valid. Based on our review of HSPD 12 and interviews with Federal\nGovernment experts on the subject, we believe HSPD 12 is not relevant to Secure\nMessaging. Regarding our sampling methodology, we selected a random sample of\n60 mailboxes and reviewed approximately 21,000 emails in our review and reached\nconclusions based on that analysis. Our sample was clearly large enough to support\nour conclusion that IRS employees are not complying with Secure Messaging\nprocedures. A statistical sample was not necessary because we did not intend to\nproject our results to the entire population of IRS emails. We made the\nrecommendation to evaluate costs and benefits because we believe the IRS could save\ncosts and reduce the impact on managers and employees by not requiring Secure\nMessaging. While we still believe our recommendation is worthwhile, we do not intend\nto elevate our disagreement concerning it to the Department of the Treasury for\nresolution.\nPlease contact me at (202) 622-6510 if you have questions or Margaret E. Begg,\nAssistant Inspector General for Audit (Information Systems Programs) at\n(202) 622-8510.\n\x0c                        Sensitive Data Sent Via Email Is Adequately Protected,\n                                  but Controls Could Be Streamlined\n\n\n\n\n                                                  Table of Contents\n\n\nBackground ............................................................................................... Page 1\nControls Are in Place to Protect Sensitive Data Sent Via Email................ Page 2\nThe Encryption of Emails Could Be Streamlined....................................... Page 2\n         Recommendation 1: .........................................................................Page 5\n         Recommendations 2 and 3: .............................................................Page 6\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology....................... Page 7\nAppendix II \xe2\x80\x93 Major Contributors to This Report ....................................... Page 9\nAppendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 10\nAppendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .................... Page 11\n\x0c             Sensitive Data Sent Via Email Is Adequately Protected,\n                       but Controls Could Be Streamlined\n\n                             The Internal Revenue Service (IRS) routinely works with\nBackground\n                             sensitive but unclassified (SBU) data such as taxpayers\xe2\x80\x99\n                             personal financial data, law enforcement information, and\n                             employees\xe2\x80\x99 data. Most managers and employees have\n                             access to email and can send sensitive data to other\n                             employees to expedite their work. Including sensitive data\n                             in email poses certain risks. Specifically, email, if not\n                             properly encrypted, can be intercepted by unauthorized\n                             persons, and employees can inadvertently disclose sensitive\n                             data by sending emails to the wrong recipient.\n                             The National Institute of Standards and Technology (NIST)1\n                             publication Guidelines on Electronic Mail Security\n                             (NIST SP 800-45) recommends specific levels of encryption\n                             for Federal Government organizations to protect email\n                             during the transmission of messages. The NIST guidelines\n                             also recommend encrypted messages be stored in their\n                             encrypted format. Treasury Directive 85-01, dated\n                             June 12, 2003, directs all bureaus to provide appropriate\n                             security for their email systems in accordance with\n                             NIST SP 800-45 guidance.\n                             The IRS established the Secure Messaging program in\n                             June 2002 to address the NIST guidelines and its concerns\n                             with sending sensitive data via email. Secure Messaging\n                             allows users to encrypt messages so only recipients who\n                             have been granted the secure messaging capability can\n                             decrypt and read the message and any attachments.\n                             At the request of the IRS\xe2\x80\x99 Chief Information Officer (CIO),\n                             we evaluated Homeland Security Presidential Directive\n                             (HSPD) 12, dated August 27, 2004, entitled \xe2\x80\x9cPolicy for\n                             Common Identification Standard for Federal Employees\n                             and Contractors\xe2\x80\x9d to determine if it had an impact on\n                             Secure Messaging. We also reviewed the draft Federal\n                             Information Processing Standards Publication 201, entitled\n                             \xe2\x80\x9cPersonal Identity Verification (PIV) for Federal Employees\n                             and Contractors,\xe2\x80\x9d and attended a public forum on HSPD 12.\n\n\n\n                             1\n                               The NIST is a non-regulatory Federal agency within the United States\n                             Commerce Department\xe2\x80\x99s Technology Administration. It promotes the\n                             United States economy and public welfare by providing technical\n                             leadership for the nation\xe2\x80\x99s measurement and standards infrastructure.\n                                                                                            Page 1\n\x0c                    Sensitive Data Sent Via Email Is Adequately Protected,\n                              but Controls Could Be Streamlined\n\n                                    Our analysis determined that this Directive has no impact on\n                                    Secure Messaging.\n                                    This review was performed in the Office of the CIO at the\n                                    IRS National Headquarters in Washington, D.C., during the\n                                    period April through September 2004. The audit was\n                                    conducted in accordance with Government Auditing\n                                    Standards. Detailed information on our audit objective,\n                                    scope, and methodology is presented in Appendix I. Major\n                                    contributors to the report are listed in Appendix II.\n                                    Data sent from employee to employee is protected across\n Controls Are in Place to Protect\n                                    the IRS network\n Sensitive Data Sent Via Email\n                                    The IRS uses features available on its email system to\n                                    automatically encrypt emails. Encryption is a method of\n                                    \xe2\x80\x9cscrambling\xe2\x80\x9d text or data so that it is unreadable. Software\n                                    on each employee\xe2\x80\x99s computer encrypts data prior to moving\n                                    the data across network lines. The text or data is then\n                                    decrypted, or unscrambled, on the receiver\xe2\x80\x99s computer so it\n                                    is again readable. Emails sent between IRS buildings are\n                                    encrypted at an even higher level than emails sent within an\n                                    IRS building.\n                                    We found no evidence that employees were sending\n                                    emails containing SBU data outside the IRS\n                                    Emails sent outside the IRS wide area network (e.g., to\n                                    taxpayers or employees\xe2\x80\x99 home computers) are not encrypted\n                                    and, as a result, the IRS prohibits this practice. We\n                                    judgmentally selected mailboxes of 60 employees who\n                                    would likely work with sensitive data. To accomplish this,\n                                    we selected employees that work in five of the IRS\xe2\x80\x99\n                                    business units: the Appeals function, Agency-Wide Shared\n                                    Services, Small Business/Self-Employed Division, Large\n                                    and Mid-Size Business Division, and Tax Exempt and\n                                    Government Entities Division. In our review of emails sent\n                                    from these mailboxes over a 14-week period from\n                                    April 1, 2004, to July 14, 2004, we did not identify any\n                                    emails containing SBU data that were sent outside the IRS\n                                    network.\n                                    The IRS established its Secure Messaging program in\nThe Encryption of Emails Could\n                                    June 2002 to enhance the encryption of emails containing\nBe Streamlined\n                                    sensitive data. To successfully use Secure Messaging, both\n                                    the sender and receiver must enroll in the program. To\n                                                                                          Page 2\n\x0cSensitive Data Sent Via Email Is Adequately Protected,\n          but Controls Could Be Streamlined\n\n                enroll, users access a web site so security personnel can\n                ensure the user\xe2\x80\x99s computer meets certain security\n                configurations.\n                Secure Messaging uses Public Key Infrastructure (PKI)\n                technology to encrypt emails. PKI technology protects\n                messages with a combination of public and private \xe2\x80\x9ckeys\xe2\x80\x9d\n                which allows users to encrypt and decrypt the messages.\n                Both sender and receiver must be listed on the IRS\xe2\x80\x99 list of\n                email addresses to enroll in Secure Messaging.\n                To encrypt a message, the sender must select the recipient\xe2\x80\x99s\n                name from the IRS\xe2\x80\x99 list of email addresses and also select\n                the Secure Messaging option when sending the message.\n                To decrypt the message, the recipient must enter a\n                previously chosen password that can be used to open all of\n                their emails encrypted with Secure Messaging.\n                Secure Messaging does provide the IRS with certain\n                enhancements. For example:\n                    \xe2\x80\xa2   The use of Secure Messaging creates an awareness\n                        of the need to protect sensitive data when using\n                        email.\n                    \xe2\x80\xa2   Secure Messaging provides the capability to provide\n                        the same level of encryption for emails sent within\n                        an IRS building as emails sent between IRS\n                        buildings. This encryption is effective even if the\n                        network encryption fails.\n                    \xe2\x80\xa2   Secure Messaging keeps messages encrypted while\n                        stored on email servers and user workstations.\n                        Without Secure Messaging, emails are encrypted\n                        only during transmission.\n                    \xe2\x80\xa2   The Department of the Treasury is exploring\n                        potential uses of PKI technology. Using PKI\n                        technology in the Secure Messaging program could\n                        give the IRS some experience that may be beneficial\n                        if PKI technology is ever used for broader purposes.\n                While Secure Messaging does enhance encryption, it has\n                several disadvantages. Primarily, it is difficult for\n                management to enforce its use.\n\n\n                                                                       Page 3\n\x0cSensitive Data Sent Via Email Is Adequately Protected,\n          but Controls Could Be Streamlined\n\n                When the IRS implemented the Secure Messaging program\n                in June 2002, the goal was to have 100 percent of all\n                employees enrolled in Secure Messaging by\n                September 30, 2002. However, as of September 2004,\n                2 years into the program, IRS records showed that only\n                62,535 (76 percent) of the 81,913 total email mailboxes\n                were enrolled in the Secure Messaging program.\n                In addition, management has not ensured employees comply\n                with the requirements to encrypt all emails containing\n                SBU data. Employees are not always using the Secure\n                Messaging encryption process when sending SBU data\n                internally.\n                We judgmentally selected 60 email mailboxes and reviewed\n                messages that were composed between April 1, 2004, and\n                July 14, 2004. Our sample of 20,983 emails was comprised\n                of 30 employees who were enrolled (12,546 emails) and\n                30 employees not enrolled (8,437 emails) in the Secure\n                Messaging program.\n                We identified 183 unencrypted messages containing SBU\n                data in 26 (43 percent) of the 60 mailboxes reviewed. We\n                found that 110 (60 percent) of the 183 unencrypted\n                messages were in non-enrolled users\xe2\x80\x99 mailboxes. However,\n                more than half the employees enrolled in Secure Messaging\n                also had unencrypted emails with sensitive data in their\n                mailboxes.\n                Although the use of Secure Messaging has been mandated\n                by the IRS, managers have not provided sufficient attention\n                to ensure employee compliance. To enforce the use of\n                Secure Messaging, managers would have to periodically\n                review email files on employees\xe2\x80\x99 computers to determine if\n                they had used Securing Messaging to encrypt sensitive data.\n                We recognize this effort could be overly burdensome for\n                first-line managers in addition to the other requirements for\n                their time.\n                Secure Messaging has other disadvantages. For example:\n                    \xe2\x80\xa2   The added encryption provided by Secure\n                        Messaging increases the size of messages. While the\n                        impact on a small email message is insignificant, the\n                        impact on a large message with attachments can\n                        increase the size of the email by 25 to 30 percent.\n                                                                      Page 4\n\x0cSensitive Data Sent Via Email Is Adequately Protected,\n          but Controls Could Be Streamlined\n\n                        Consequently, the IRS must use additional network\n                        bandwidth for transmission and more storage space\n                        on email servers.\n                    \xe2\x80\xa2   In addition to the $350,000 initially spent to\n                        implement the Secure Messaging program, the IRS\n                        is incurring ongoing costs to administer it. The\n                        program requires dedicated servers and\n                        5 part-time employees costing about $156,000 per\n                        year to manage the hardware and software. The IRS\n                        could potentially put these funds to better use if\n                        Secure Messaging were not continued.\n                While Secure Messaging provides additional protection\n                when using email, the use of this feature requires substantial\n                management oversight and associated costs. NIST guidance\n                recommends organizations weigh the costs and benefits\n                associated with implementing a sound encryption policy.\n                To our knowledge, the IRS has not reevaluated the need or\n                weighed the costs and benefits for the Secure Messaging\n                program since it was implemented in June 2002.\n\n                Recommendations\n                The CIO should coordinate with business unit owners to:\n                1. Reevaluate and weigh the costs and benefits of\n                   continuing the Secure Messaging program.\n                Management\xe2\x80\x99s Response: The CIO did not agree with this\n                recommendation. The CIO indicated with the issuance of\n                HSPD 12, dated August 27, 2004, entitled \xe2\x80\x9cPolicy for\n                Common Identification Standard for Federal Employees and\n                Contractors,\xe2\x80\x9d all Federal Government agencies are\n                mandated to implement PKI as a central component of\n                logical access controls. Since Secure Messaging provides a\n                useful migration path to PKI, it will remain a key\n                component of the IRS\xe2\x80\x99 transition activities. The CIO also\n                questioned our sampling methodology.\n                Office of Audit Comment: We believe the conclusions\n                raised and recommendations in this report are valid. Based\n                on our review of HSPD 12 and interviews with Federal\n                Government experts on the subject, we believe HSPD 12 is\n                not relevant to Secure Messaging. Regarding our sampling\n                methodology, we selected a random sample of 60 mailboxes\n                                                                       Page 5\n\x0cSensitive Data Sent Via Email Is Adequately Protected,\n          but Controls Could Be Streamlined\n\n                and reviewed approximately 21,000 emails in our review\n                and reached conclusions based on that analysis. Our sample\n                was clearly large enough to support our conclusion that IRS\n                employees are not complying with Secure Messaging\n                procedures. A statistical sample was not necessary because\n                we did not intend to project our results to the entire\n                population of IRS emails. We made the recommendation to\n                evaluate costs and benefits because we believe the IRS\n                could save costs and reduce the impact on managers and\n                employees by not requiring Secure Messaging.\n                If the CIO and business unit owners decide to continue the\n                Secure Messaging program they should:\n                2. Continue awareness training to encourage all IRS\n                   employees who send sensitive data via email to enroll in\n                   the Secure Messaging program and comply with its\n                   procedures.\n                Management\xe2\x80\x99s Response: The Modernization and\n                Information Technology Services (MITS) organization will\n                continue to promote employee awareness. The Mission\n                Assurance and Security Service (MA&SS) organization will\n                incorporate Secure Messaging with the annual online\n                computer security awareness training required for all\n                employees.\n                3. Require first-line managers to periodically review\n                   employees\xe2\x80\x99 use of Secure Messaging to ensure\n                   compliance.\n                Management\xe2\x80\x99s Response: The MA&SS and MITS\n                organizations will issue a joint memo mandating the\n                enrollment of all employees in secure messaging. The\n                MITS organization will work with the business units to\n                develop a cost-effective way of assessing compliance.\n\n\n\n\n                                                                        Page 6\n\x0c                  Sensitive Data Sent Via Email Is Adequately Protected,\n                            but Controls Could Be Streamlined\n\n                                                                                      Appendix I\n\n\n                      Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to assess whether the Internal Revenue Service (IRS) is\nadequately protecting sensitive data sent via email. To accomplish this objective, we:\nI.     Determined whether the use of Secure Messaging was necessary and effective for\n       reducing the risk of sensitive data being intercepted or whether the other levels of\n       encryption used by the IRS were adequate.\n       A.     We interviewed responsible IRS officials and reviewed policies, laws, and\n              standards applicable to Secure Messaging encrypted email, as well as the network\n              flow of general and sensitive data.\n       B.     We compared these requirements with the encryption levels documented in the\n              IRS\xe2\x80\x99 Certification and Accreditation report, local and wide area network\n              infrastructure, and software specifications.\n       C.     We determined and illustrated the encryption and decryption points in the data\n              transmission stream.\n       D.     At the request of the IRS\xe2\x80\x99 Chief Information Officer, we evaluated Homeland\n              Security Presidential Directive (HSPD) 12, dated August 27, 2004, entitled\n              \xe2\x80\x9cPolicy for Common Identification Standard for Federal Employees and\n              Contractors,\xe2\x80\x9d reviewed the draft Federal Information Processing Standards\n              Publication 201, entitled \xe2\x80\x9cPersonal Identity Verification (PIV) for Federal\n              Employees and Contractors,\xe2\x80\x9d and attended a public forum on HSPD 12 to\n              determine whether it has any impact on Secure Messaging.\nII.    Determined whether Secure Messaging encryption was applied effectively and\n       consistently to protect sensitive data sent via email.\n       A.     We identified the total number of IRS employee mailboxes and the number\n              enrolled in the Secure Messaging program.\n       B.     We determined whether IRS employees were sending sensitive data via email\n              without using the Secure Messaging feature by selecting a judgmental sample.\n              We selected a judgmental sample because we did not intend to project the results\n              to all mailboxes.\n\n\n\n\n                                                                                              Page 7\n\x0c                 Sensitive Data Sent Via Email Is Adequately Protected,\n                           but Controls Could Be Streamlined\n\n              We selected mailboxes from specific business units that we believed would have\n              the most likelihood of sending emails with sensitive data. From the IRS\xe2\x80\x99 Secure\n              Messaging website, we were able to download all IRS email users both enrolled\n              and not enrolled in Secure Messaging, a total of 82,439 mailboxes. We separated\n              five offices: Appeals, Agency-Wide Shared Services, Small Business/Self-\n              Employed Division, Large and Mid-Size Business Division, and the Tax Exempt\n              and Government Entities Division. These offices accounted for 34,474\n              mailboxes. We selected a random sample of 30 mailboxes from both the enrolled\n              and not enrolled users in these offices, for a total of 60 sampled mailboxes. We\n              reviewed 20,983 emails sent and received by these employees from April 1, 2004,\n              to July 14, 2004.\nIII.   Determined whether IRS employees were forwarding and/or sending sensitive data via\n       email outside the IRS network, either to taxpayers or their own personal computers, by\n       reviewing the messages from our sample in Step II. B. and IRS logs of messages sent\n       outside the IRS networks.\n\n\n\n\n                                                                                        Page 8\n\x0c                 Sensitive Data Sent Via Email Is Adequately Protected,\n                           but Controls Could Be Streamlined\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nThomas Polsfoot, Audit Manager\nDavid Brown, Senior Auditor\nGeorge Franklin, Auditor\n\n\n\n\n                                                                                         Page 9\n\x0c                 Sensitive Data Sent Via Email Is Adequately Protected,\n                           but Controls Could Be Streamlined\n\n                                                                                Appendix III\n\n\n                                Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nChief, Mission Assurance and Security Services OS:MA\nAssociate Chief Information Officer, Information Technology Services OS:CIO:I\nDirector, Assurance Programs OS:MA:AP\nDirector, Business Systems Development OS:CIO:I:B\nDirector, End User Equipment and Services OS:CIO:I:EU\nDirector, Enterprise Networks OS:CIO:I:EN\nDirector, Enterprise Operations Services OS:CIO:I:EO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance and Security Services OS:MA\n\n\n\n\n                                                                                     Page 10\n\x0cSensitive Data Sent Via Email Is Adequately Protected,\n          but Controls Could Be Streamlined\n\n                                                         Appendix IV\n\n\n      Management\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                              Page 11\n\x0cSensitive Data Sent Via Email Is Adequately Protected,\n          but Controls Could Be Streamlined\n\n\n\n\n                                                         Page 12\n\x0cSensitive Data Sent Via Email Is Adequately Protected,\n          but Controls Could Be Streamlined\n\n\n\n\n                                                         Page 13\n\x0cSensitive Data Sent Via Email Is Adequately Protected,\n          but Controls Could Be Streamlined\n\n\n\n\n                                                         Page 14\n\x0c'